APAR status
Closed as program error.
Error description
MQ Sender channel (mqlink) to zOS WebSphere Application Server (WAS) Service Integration Bus (SIB) Receiver channel unable to start with with TLS 1.2 cipher and certificates signed with SHA2 signature. MQ queue manager error log shows: AMQ9209: channel closed AMQ9999: Channel ended abnormally WAS OUTPUT.txt log shows: SIBFAPInboundThreadPool : 0, fatal error: 80: problem unwrapping net record javax.net.ssl.SSLHandshakeException: Certificates within the CertificateMsg to be sent to the client contain signatures which are not allowed %% Invalidated: Session-1, SSL_RSA_WITH_AES_128_CBC_SHA256 SIBFAPInboundThreadPool : 0, SEND TLSv1.2 ALERT: fatal, description = internal_error
Local fix
Use certificates signed with SHA1 signature algorithm.
Problem summary
**************************************************************** USERS AFFECTED: This issue affects users of MQ v7.1 and 7.5 who are establishing a TLS 1.2 channel connection to an endpoint other than another MQ queue manager. This has been seen with an MQLINK SIB Receiver channel on WAS, where the SIB application acts as an MQ RCVR channel. Connections from an MQ queue manager via TLS proxies which are non-transparent may also be impacted, depending on the proxy implementation's response to the absence of the TLS 1.2 signature algorithms extension. Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: When an MQ Queue Manager established an outbound TLS 1.2 connection, it omitted to send the signature algorithms extension as described in RFC 5246. This extension may be used by the receiving end of the TLS 1.2 to determine the certificate to send in response. Where another MQ queue manager was the receiving end of the connection, this omission had no impact, as certificate configured for the queue manager (or channel) would be returned regardless. In the failing case, the SIB application chose not to offer a SHA-2 signed signature to the initiating side of the connection, due to the omission of the signature algorithms extension. This caused the connection to fail.
Problem conclusion
The MQ queue manager outbound channel logic has been updated to set the signature algorithms extension for outbound TLS 1.2 connections. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v7.1 7.1.0.9 v7.5 7.5.0.8 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IV93261
Reported component name
WMQ LIN X86 V7
Reported component ID
5724H7224
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-02-09
Closed date
2017-02-28
Last modified date
2017-02-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WMQ LIN X86 V7
Fixed component ID
5724H7224
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]
Document Information
Modified date:
08 March 2021